In our post last week we began a series focusing on audit committees. We briefly reviewed the history of audit committee requirements over the past 20 years or so hoping that understanding the past will help us understand what the future might hold. The current discussion about audit committee roles and responsibilities flows from this history. This discussion also has roots in several auditor/client events that have happened over the last several years.
This post discusses some of those recent events, primarily SEC Enforcement cases and related matters as they relate to auditor independence. Hopefully this will help provide context and yield more insight into what the future may hold.
One of the major themes in the SEC’s “Possible Revisions to Audit Committee Disclosures” Concept Release is audit committee oversight of independent auditors. Independence is clearly an important aspect of this oversight. Historically independence has been the auditor’s responsibility. When the SEC and the PCAOB have promulgated independence rules they have been directed primarily to the auditor, not the company or the audit committee.
It may be that it is time for this attitude to evolve and change.
Recent SEC enforcement cases provide several examples where the dividing line between the auditor’s and the company’s responsibility for auditor independence has been very fuzzy. (To be clear, in these cases it would not appear that there were many overt bad-actors who set out to break the rules. So, as you read the examples, ponder who should be in place to know the rules and assure compliance?)
A First Example
Sometimes independence problems are very simple. One of these foundational issues is that the auditor may not assist management in the preparation of financial statements. In fact, Regulation S-X Rule 2.01 states:
(4) Non-audit services. An accountant is not independent if, at any point during the audit and professional engagement period, the accountant provides the following non-audit services to an audit client:
(i) Bookkeeping or other services related to the accounting records or financial statements of the audit client. Any service, unless it is reasonable to conclude that the results of these services will not be subject to audit procedures during an audit of the audit client’s financial statements, including:
(A) Maintaining or preparing the audit client’s accounting records;
(B) Preparing the audit client’s financial statements that are filed with the Commission or that form the basis of financial statements filed with the Commission; or
(C) Preparing or originating source data underlying the audit client’s financial statements.
The idea here is that the auditor cannot really “audit” something they have prepared. This seems relatively straightforward, but when broker-dealers were first required to have their audits performed using the standards of the PCAOB and became subject to the SEC’s auditing requirements, this requirement was overlooked in a number of cases. Eight of these cases resulted in enforcement against auditors for helping their clients prepare financial statements.
You can read the details of the cases in this press release:
www.sec.gov/News/PressRelease/Detail/PressRelease/1370543608588
Now, as we described above, independence has usually been the bailiwick of the auditor. But, when there is an independence problem the company bears a harsh cost also, possibly even a new audit of the same period(s) by an auditor who is in fact independent. In a time of change such as using the PCAOB’s standards for the first time, would it be unreasonable to expect that the audit committee would be knowledgeable about these standards and as part of their oversight of auditing matters ask if there were any issues concerning compliance with the new standards? Is it possible that a strong audit committee could help avoid these problems?
Really, the deeper issue here is that a strong audit committee needs to monitor the financial reporting and auditing environment for changes and assure that management deals with these changes. Easy examples in today’s world include cybersecurity and oil prices.
As a postscript to this first example, the very first enforcement case brought by the PCAOB was over this very issue. It was “way back” in May of 2005. You can read the details at:
pcaobus.org/Enforcement/Decisions/Documents/05-24_Goldstein_and_Morris.pdf
Second Example
The independence relationship can be very complex to track. Even firms with only a few professionals may not always be aware of all the business activities of all its professionals. For larger firms this can be a huge quality control and compliance challenge. In a recent enforcement a large firm was fined when its consulting affiliate maintained a business relationship with an individual who was a trustee and a board and audit committee member of three funds the firm audited.
Certainly there was a breakdown on the part of the firm in this case, but should the audit committees of the funds have been monitoring for such relationships? This is a complex issue, and the question should be addressed. As you will note in the press release linked below, the adequacy of the fund’s audit committee charter was called into question.
You can read the details of this case at:
www.sec.gov/news/pressrelease/2015-137.html
A Third Example
In this case an audit firm’s affiliate in Washington, DC provided lobbying services to companies that were also audit clients. Such advocacy services are always prohibited by the independence rules. And, again, the firm likely may have a quality control system issue to address tracking the myriad of business relationships in a large professional practice. But again the questions surrounding the client’s responsibility and the role of audit committees need to be addressed. It is not just the auditor who has a consequence in this situation. In a complex commercial world where business can happen so quickly, this issue is even more important.
You can read the details of this case at:
www.sec.gov/News/PressRelease/Detail/PressRelease/1370542298984
Concluding Thoughts
None of these cases are simple, and in each case the fact set behind the case makes it clear there were generally no overt bad-actors who were setting out to break rules. Which brings us back to the question, who is there to make sure that the rules are monitored and that companies comply? Is the audit committee part of that structure? We will see how the situation evolves!
As always, your thoughts and comments are appreciated!